A closer look at Windows 10 S, Windows 10 on ARM and Windows 10 IoT

Windows RT, Microsoft’s ill-fated attempt to rival the iPad with a version of Windows that ran on ARM chips, made a lot of changes to the familiar OS to move it to a new processor and make the apps that run on it more efficient and secure.

Now Microsoft is coming out with two new versions of Windows and dividing those changes between them: Windows 10 S and Windows 10 on ARM. This isn’t about the limitations of using ARM processors – it’s about crafting versions of Windows that solve very specific problems.

So let’s look in depth at these fresh operating systems, also comparing them to that other spin on Microsoft’s OS, Windows 10 IoT, which is aimed at the likes of smart home gadgets and much more. How do all these different flavours stack up and compare to each other – and to Windows 10 itself – in the overall picture?

It’s Windows 10 on ARM but Microsoft and Qualcomm often just call it Windows 10

Windows 10 on ARM

Windows 10 running on ARM processors will be very much like Windows 10 itself, with only one main restriction. You’ll be able to run apps from the Windows Store on Windows on ARM, but you’ll also be able to run Win32 apps – whether they come from the Windows Store because they’ve been packaged with the Desktop Bridge tool, or whether you download them from the web at large and install them as normal desktop apps.

Windows on ARM has a built-in emulator for 32-bit apps that’s based on the Windows on Windows (WOW) technology that Windows 10 uses to run 32-bit (x86) software on 64-bit (x64) PCs. The real-time ‘Just-In-Time’ transcoding emulation that converts x86 instructions to ARM is done the first time you run the software, and then it’s cached by Windows – so the next time you run the software, you’re running the ARM64 version of the code that was created on-the-fly the first time, making it run without significant lag or delay.

Windows on ARM looks like Windows 10, has the Windows 10 desktop and runs Windows software like 7-Zip

The aim with Windows 10 on ARM isn’t to get a super-secure system – that’s what Windows 10 S is for. Rather, it’s to let OEMs build PCs with the long battery life and built-in connectivity of ARM solutions like Qualcomm’s Snapdragon 835. Many of these ARM devices will be ‘Always Connected’ PCs with embedded SIMs (eSIMs) that let you switch carriers without plugging in a physical SIM, but there will be Always Connected PCs with eSIMs that have Intel rather than ARM processors as well. (Always Connected is really the latest version of Connected Standby, a feature introduced in Windows 8.)

Confusingly, Microsoft and Qualcomm are simply calling this ‘Windows 10’. What you get is Windows 10, with the Windows 10 desktop, but it’s Windows 10 running on ARM rather than on an Intel or AMD CPU. In practice, the only difference will be that 64-bit desktop software won’t run on these devices.

How Windows 10 on ARM runs desktop software

That’s not a technical limitation – ARM64 chips could run emulated x64 instructions as easily as x86 instructions, although x64 has more registers which the emulation would have to cope with.

Microsoft hasn’t been able to give us a reason why x64 isn’t supported, and it may simply be that it’s reusing the WOW 32-bit emulation it already had for running x86 code on x64 systems, and that rewriting that to run x64 code as well would be a lot of work. (Many app installers are 64-bit even when the apps they install are 32-bit, so it will be interesting to see how this 32-bit restriction works in practice).

Similarly, when Microsoft talks about ‘Windows 10 on cellular PCs’ that’s more likely to mean PCs with LTE and eSIMs than phones that run desktop apps, even though the latter is technically possible.

Windows 10 S

Designed for schools – and to compete with Chromebooks – Windows 10 S is far more restricted than Windows on ARM, even though the first systems will have x86 processors inside (and schools can put Windows 10 S onto their existing Windows Pro PCs). It’s these restrictions that give Windows 10 S faster boot times and better battery life than Windows 10 on the same hardware; there are no startup applications or background tasks slowing down boot or using up battery.

Windows 10 S only runs apps that come from the Windows Store, and you can’t sideload UWP apps from other sources. Those apps can be desktop apps like Evernote and Slack, Spotify and iTunes, which have been converted for the Store using the Desktop Bridge – that’s how Microsoft will get Office 2016 onto Windows 10 S.

This is the one place where Windows 10 S is potentially less locked down than Windows 10 on ARM – it’s possible to convert 64-bit desktop apps to Store apps and those converted apps should run on Windows 10 S.

That’s not going to include Firefox or Chrome though, because the Windows Store policies only allow browsers that use the Edge and Chakra HTML and JavaScript engines included in Windows. If Chromium was wrapped as a Store app, it would get the virtualised registry and redirected file system of a UWP app, but converted apps have the ‘runFullTrust’ capability that lets them perform operations outside the app sandbox. And that would make a Store version of Chrome no more secure than a desktop version.

“Just because an ‘app’ comes from the Windows Store does not automatically mean it’s safe and suitable for running on Windows 10 S,” explained senior program manager Rich Turner. Similarly, converted apps that generate code and write it to disk “won’t run properly on systems running Windows 10 S”. So Minecraft will work, but a developer tool like Visual Studio won’t.

Remote tools like Citrix Receiver will be the only way to get apps that don’t come from the Windows Store ‘running’ on Windows 10 S

You will be able to run desktop apps – including Chrome – remotely, using Citrix Receiver (but you must have a XenDesktop environment to remote those apps from). That works because any security or power impact from the desktop apps happens on the remote server, not on the Windows 10 S device.

Windows 10 S has no command line or console, so it doesn’t include the Windows Subsystem for Linux (even though that’s now distributed through the Windows Store), or even PowerShell. That means that malware which uses scripts, PowerShell or macros to attack Windows just won’t work on Windows 10 S. (And having no command line stops users sideloading apps that don’t come from the Store).

It also means that while Windows 10 S PCs can be set up using a USB stick produced with a special setup tool, they have to be managed using the built-in MDM client, via Microsoft’s Intune service. That has controls for networking and browser settings, and can even turn off the camera on the device during school hours, but it doesn’t slow the system down the way group policies do.

Windows 10 S works with Windows Update for Business, which lets admins choose when the twice-a-year feature updates and monthly quality updates get installed, including setting the time of day and deferring them by up to 30 days – but not blocking them altogether.